b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n      Information Technology Management Letter \n\n                    for the FY 2008 \n\n       Federal Law Enforcement Training Center \n\n               Financial Statement Audit \n\n                      (Redacted)\n\n\n\n\n\n Notice: The Department of Homeland Security, Office of Inspector General has redacted the report for public\n release. A review under the Freedom of Information Act will be conducted upon request.\n\n\n\n\nOIG-09-63                                                                                         April 2009\n\x0c                                                                                    Office of Inspector General\n\n                                                                        U.S. Department of Homeland Security\n                                                                                       Washington, DC 25028\n\n\n\n\n                                           April 27, 2009\n\n\n                                               Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our\noversight responsibilities to promote economy, efficiency, and effectiveness within the department.\n\nThis report presents the information technology (IT) management letter for the FY 2008 Federal\nLaw Enforcement Training Center (FLETC) consolidated balance sheet audit as of September 30,\n2008. It contains observations and recommendations related to information technology internal\ncontrol that were not required to be reported in the financial statement audit report (OIG-09-09,\nNovember 2008) and represents the separate restricted distribution report mentioned in that report.\nThe independent accounting firm KPMG LLP (KPMG) performed the audit of FLETC\xe2\x80\x99s FY 2008\nfinancial statements and prepared this IT management letter. KPMG is responsible for the attached\nIT management letter dated December 5, 2008, and the conclusions expressed in it. We do not\nexpress opinions on DHS\xe2\x80\x99 financial statements or internal control or make conclusions on\ncompliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office, and\nhave been discussed in draft with those responsible for implementation. We trust this report will\nresult in more effective, efficient, and economical operations. We express our appreciation to all of\nthose who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner \n\n                                      Inspector General \n\n\x0c                                  KPMG LLP\n                                  2001 M Street, NW\n                                  Washington, DC 20036\n\n\nMarch 26, 2009\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer\nU.S. Federal Law Enforcement Training Center\n\nChief Financial Officer\nU.S. Federal Law Enforcement Training Center\n\nLadies and Gentlemen:\nWe have audited the accompanying consolidated balance sheets of the U.S. Department of Homeland\nSecurity\xe2\x80\x99s (DHS) Federal Law Enforcement Training Center (FLETC) as of September 30, 2008 and\n2007, and the related consolidated statements of net cost, and changes in net position, and combined\nstatements of budgetary resources (hereinafter referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d) for the\nyears then ended. The objective of our audit was to express an opinion on the fair presentation of these\nconsolidated financial statements.\nIn connection with our fiscal year 2008 audit, we also considered FLETC\xe2\x80\x99s internal controls over\nfinancial reporting by obtaining an understanding of the FLETC\xe2\x80\x99s internal control, determining whether\ninternal controls had been placed in operation, assessing control risk, and performing tests of controls in\norder to determine our procedures. We limited our internal control testing to those controls necessary to\nachieve the objectives described in Government Auditing Standards and Office of Management and\nBudget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements. We did not\ntest all internal controls relevant to operating objectives as broadly defined by the Federal Managers\xe2\x80\x99\nFinancial Integrity Act of 1982 (FMFIA).\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect\nmisstatements on a timely basis. A significant deficiency is a control deficiency, or combination of\ncontrol deficiencies, that adversely affects FLETC\xe2\x80\x99s ability to initiate, authorize, record, process, or report\nfinancial data reliably in accordance with U.S. generally accepted accounting principles such that there is\nmore than a remote likelihood that a misstatement of FLETC\xe2\x80\x99s financial statements that is more than\ninconsequential will not be prevented or detected by FLETC\xe2\x80\x99s internal control over financial reporting. A\nmaterial weakness is a significant deficiency, or combination of significant deficiencies, that results in\nmore than a remote likelihood that a material misstatement of the financial statements will not be\nprevented or detected by the entity\xe2\x80\x99s internal control.\nWe identified certain weaknesses during our audit engagement which we would like to bring to your\nattention. These matters are also described in the IT General Control Findings by Audit Area section of\nthis letter.\nThe significant deficiency and other matters described herein have been discussed with the appropriate\nmembers of management, or communicated through a Notice of Finding and Recommendation (NFR),\nand is intended For Official Use Only. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained\nduring our audit engagement to make comments and suggestions that we hope will be useful to you. We\nhave not considered internal control since the date of our Independent Auditors\xe2\x80\x99 Report.\n\n\n\n\n                                     KPMG LLP. KPMG LLP, a U.S. limited liability partnership, is\n                                     a member of KPMG International, a Swiss cooperative.\n\x0cThe Table of Contents on the next page identifies each section of the letter. In addition, we have\nprovided: a description of key FLETC financial systems and information technology infrastructure within\nthe scope of the FY 2008 FLETC financial statement audit in Appendix A; a description of each internal\ncontrol finding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our\ncomments related to financial management and reporting internal controls have been presented in a\nseparate letter to the Office of Inspector General and the DHS Chief Financial Officer dated March 26,\n2009.\n\nThis report is intended solely for the information and use of FLETC management, DHS Office of\nInspector General, OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not\nintended to be and should not be used by anyone other than these specified parties.\n\nVery truly yours,\n\x0c                                Department of Homeland Security \n\n                           Federal Law Enforcement Training Center \n\n                            Information Technology Management Letter\n                                       September 30, 2008\n\n                  INFORMATION TECHNOLOGY MANAGEMENT LETTER \n\n\n                                    TABLE OF CONTENTS \n\n                                                                                          Page\n\n\nObjective, Scope and Approach                                                              1\n\n\nSummary of Findings and Recommendations                                                    3\n\n\nIT General Control Findings by Audit Area                                                  4\n\n\n Findings Contributing to a Significant Deficiency in IT                                   4\n\n\n  Entity-wide Security Planning                                                            4\n\n\n  Access Controls                                                                          4\n\n\n  Application Software Development and Change Controls                                     4\n\n\n  Service Continuity                                                                       5\n\n\n   System Software                                                                         5\n\n\n   Segregation of Duties                                                                   5\n\n\nApplication Control Finding                                                                8\n\n\nManagement Comments and OIG Response                                                       8\n\n\n                                        APPENDICES\n\n\n    Appendix                                      Subject                                 Page\n\n\n                     Description of Key FLETC Financial Systems and IT Infrastructure\n        A                                                                                  9\n                     within the Scope of the FY 2008 FLETC Financial Statement Audit\n\n\n\n        B            FY 2008 Notices of IT Findings and Recommendations at FLETC           11\n\n\n\n\n                     Status of Prior Year Notices of Findings and Recommendations and \n\n        C            Comparison to Current Year Notices of Findings and Recommendations    25\n\n\n\n\n\n        D            Management Comments                                                   31\n\n\x0c                                   Department of Homeland Security \n\n                              Federal Law Enforcement Training Center\n\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n                              OBJECTIVE, SCOPE AND APPROACH\n\nWe were engaged to perform an audit of the Federal Law Enforcement Training Center\xe2\x80\x99s (FLETC)\nInformation Technology (IT) general controls in support of the fiscal year (FY) 2008 FLETC financial\nstatement audit. The overall objective of our engagement was to evaluate the effectiveness of IT general\ncontrols of FLETC\xe2\x80\x99s financial processing environment and related IT infrastructure as necessary to\nsupport the engagement. The Federal Information System Controls Audit Manual (FISCAM), issued by\nthe Government Accountability Office (GAO), formed the basis of our audit. The scope of the FLETC IT\ngeneral controls assessment is described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist\nthem in planning their audit work and to integrate the work of auditors with other aspects of the financial\naudit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review\nthat generally should be performed when evaluating general controls and the IT environment of a federal\nagency. FISCAM defines the following six control functions to be essential to the effective operation of\nthe general IT controls environment.\n\n\xef\xbf\xbd\t Entity-wide security program planning and management (EWS) \xe2\x80\x93 Controls that provide a framework\n   and continuing cycle of activity for managing risk, developing security policies, assigning\n   responsibilities, and monitoring the adequacy of computer-related security controls.\n\xef\xbf\xbd\t Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\xef\xbf\xbd\t Application software development and change control (ASDCC) \xe2\x80\x93 Controls that help to prevent the\n   implementation of unauthorized programs or modifications to existing programs.\n\xef\xbf\xbd\t System software (SS) \xe2\x80\x93 Controls that limit and monitor access to powerful programs that operate\n   computer hardware and secure applications supported by the system.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations, thus\n   deterring unauthorized actions or access to assets or records.\n\xef\xbf\xbd\t Service continuity (SC) \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n   interruption, or with prompt resumption, when unexpected events occur.\n\nIn the current year, FLETC performed a significant upgrade to its           financial reporting software\nsystem, from version 3.7 to version 6.1. This upgrade occurred during the period of August 1, 2008 \xe2\x80\x93\nAugust 17, 2008 and was conducted by a third party, CACI, Inc. (\xe2\x80\x9cCACI\xe2\x80\x9d). As such, the automated\ncontrols component of FLETC\xe2\x80\x99s entity level controls was significantly changed during the period under\naudit. In addition, there were several control weaknesses identified in the prior year that were not\nmitigated due to reliance on the impending              application upgrade and the installation of new\nhardware that would improve the overall IT general controls (ITGC) security structure at FLETC. We\ndesigned our scope to perform a pre-conversion ITGC. After the               conversion, we returned to\nFLETC to perform minimal ITGC test work over the new control environment.\n\n\n\n\n                                                    1\n Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                  Department of Homeland Security \n\n                             Federal Law Enforcement Training Center\n\n                              Information Technology Management Letter\n                                         September 30, 2008\n\nIn addition to testing FLETC\xe2\x80\x99s general control environment, we performed pre-conversion and post-\nconversion application control tests on a limited number of FLETC\xe2\x80\x99s financial systems and applications.\nThe application control testing was performed to assess the controls that support the financial systems\xe2\x80\x99\ninternal controls over the input, processing, and output of financial data and transactions.\n\n   \xef\xbf\xbd\t Application Controls (APC) - Application controls are the structure, policies, and procedures that\n      apply to separate, individual application systems, such as accounts payable, inventory, or payroll.\n\n\n\n\n                                                   2\n Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                    Department of Homeland Security \n\n                               Federal Law Enforcement Training Center\n\n                                Information Technology Management Letter\n                                           September 30, 2008\n\n                      SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nOur audit procedures over IT general controls for FLETC included a review of its procedures, policies,\nand practices. The IT portion of our audit disclosed matters involving the internal controls over financial\nreporting and its operation that we consider to be a significant deficiency under standards established by\nthe American Institute of Certified Public Accountants (AICPA). We have noted deficiencies in the\ndesign and operation of FLETC\xe2\x80\x99s internal controls which could adversely affect the agency\xe2\x80\x99s financial\nstatements. We noted deficiencies over entity-wide security planning, access controls, application\ndevelopment and change control, system software, segregation of duties, and service continuity that have\ncontributed to the significant deficiency. The cumulative affect of the deficiencies identified should not\nlead to material misstatements in the agency-wide financial statements. According to the AICPA, a\nsignificant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects\nthe entity\xe2\x80\x99s ability to initiate, authorize, record, process, or report financial data reliably in accordance\nwith generally accepted accounting principles (GAAP) such that there is more than a remote likelihood\nthat a misstatement of the entity\xe2\x80\x99s financial statements that is more than inconsequential will not be\nprevented or detected.\n\nDuring FY 2008, we noted that FLETC made minimal progress on its control weaknesses. Therefore,\nmany of the prior year Notices of Findings and Recommendations (NFR) could not be closed completely\ndue to the reliance on the impending                      application upgrade, the decommissioning of\n                      and the installation of new hardware that would improve the overall ITGC security\nstructure at FLETC. As a result, there was one (1) prior year NFR closed, twenty (27) reissued NFRs, and\nthree (3) new NFRs issued to FLETC.\n\nFLETC management should ensure that there is emphasis placed on the completion, monitoring and\nenforcement of IT security-related policies and procedures. On-going measures to improve the IT\nsecurity considerations for key financial systems operated by FLETC and implement effective access\ncontrols, segregation of duties and change controls need to be completed.\n\nWhile the recommendations made by KPMG should be considered by FLETC, it is the ultimate\nresponsibility of FLETC management to determine the most appropriate method(s) for addressing the\nweaknesses identified based on their system capabilities and available resources.\n\n\n\n\n                                                      3\n Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                    Department of Homeland Security \n\n                               Federal Law Enforcement Training Center\n\n                                Information Technology Management Letter\n                                           September 30, 2008\n\n\n                       IT GENERAL CONTROL FINDINGS BY AUDIT AREA\n\nFindings Contributing to a Significant Deficiency in IT\n\nDuring FY 2008, we noted the following IT and financial system control deficiencies that in aggregate are\nconsidered a significant deficiency:\n\n\n1\t   Entity-wide Security Planning \xe2\x80\x93 we noted:\n\n     \xef\xbf\xbd\t Incidents are not tracked from inception to resolution in an incident response management\n        system.\n     \xef\xbf\xbd\t Background investigations for contractors were not consistently performed.\n\n\n2\t   Access controls \xe2\x80\x93 we noted:\n     \xef\xbf\xbd\t The following                  and                     access control weaknesses were identified:\n         \xef\xbf\xbd\t Draft policies and procedures exist regarding immediate notification of                    and\n                                 System administrators when users are terminated or transferred.\n         \xef\xbf\xbd\t Password configurations for                       have been configured to permit passwords\n            to be a minimum of eight characters in length with no complexity requirements, which is not\n            in compliance with DHS 4300A Sensitive Systems Handbook.\n     \xef\xbf\xbd\t Momentum security violation event audit logs are not reviewed.\n     \xef\xbf\xbd\t Standard Operating Procedures (SOPs) for the use and installation of \n\n                (     technologies have been documented, but are not finalized. \n\n     \xef\xbf\xbd\t Security inspections for all         networks have not been completed.\n     \xef\xbf\xbd\t Configuration Management weaknesses on                                   and the\n                        were identified. These weaknesses included account management, auditing,\n        database configuration and password management weaknesses.\n     \xef\xbf\xbd\t Patch Management weaknesses on hosts and database supporting the \n\n        applications and \n                          were identified. Additionally, the same servers were\n        identified as having excessive access privileges.\n\n\n3\t   Application Software Development and Change Controls \xe2\x80\x93 we noted:\n     \xef\xbf\xbd\t Configuration management plans are in draft form for            and\n        thus, the plans have not been authorized and fully implemented. Specifically, the following\n        weaknesses were noted:\n\n\n\n                                                       4\n Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                     Department of Homeland Security \n\n                                Federal Law Enforcement Training Center\n\n                                 Information Technology Management Letter\n                                            September 30, 2008\n\n\n             -\t    Lack of documented test plan standards and procedures;\n             -\t    Lack of documented guidance for bug fixes and enhancements, including the\n                   emergency change process.\n\n     \xef\xbf\xbd\t Excessive access privileges exist, which allows all FLETC domain level users to \xe2\x80\x9cmodify, read,\n        execute, and write\xe2\x80\x9d access to the            and            application program libraries.\n     \xef\xbf\xbd\t System Development Life Cycle (SDLC) for                 is not finalized.\n\n\n4\t   Service Continuity \xe2\x80\x93 we noted:\n     \xef\xbf\xbd                server level,                     and         database backups are not periodically\n         tested.\n     \xef\xbf\xbd\t The              contingency plan was tested in May 2008; however, the contingency plan was\n        not updated to reflect the test results.\n\n\n5\t   System Software \xe2\x80\x93 we noted:\n     \xef\xbf\xbd\t The installation of             system software has been logged since May 2008; however, the\n        application capturing the data has not been fully implemented, nor are the logs being reviewed by\n        FLETC management.\n\n\n6\t    Segregation of Duties:\n     \xef\xbf\xbd                segregation of duties controls for the Accountant role was determined to be\n         ineffective.\n\n\nRecommendations: We recommend that the FLETC Chief Information Officer (CIO) and Chief Financial\nOfficer (CFO), in coordination with the DHS Office of Chief Financial Officer and the DHS Office of the\nChief Information Officer, make the following improvements to FLETC\xe2\x80\x99s financial management systems\nand associated information technology security program.\n\n\n1 \t For Entity-wide Security Planning:\n     \xef\xbf\xbd   No recommendations will be offered as both conditions were mitigated during the fiscal year.\n\n\n2\t   For Access Controls:\n     \xef\xbf\xbd\t Continue with the projected plan for decommissioning the                application.\n     \xef\xbf\xbd\t Continue to finalize and implement the \xe2\x80\x9cFM 4300: Information Technology System Security\n        Program Policy\xe2\x80\x9d, which provides policies for the use of  technologies.\n\n\n                                                    5\n Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                   Department of Homeland Security \n\n                              Federal Law Enforcement Training Center\n\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n     \xef\xbf\xbd\t Application System Administrators should review security and system-related event logs on a\n        periodic basis.\n     \xef\xbf\xbd\t Conduct a security inspection of the                        installations by completing the FLETC\n               Security checklist.\n     \xef\xbf\xbd\t Implement the corrective actions identified during the audit vulnerability assessment as identified\n        in the issued NFR.\n     \xef\xbf\xbd\t Perform periodic scans of the FLETC network environment, including the financial processing\n        environment, for the identification of vulnerabilities, in accordance with National Institute of\n        Standards and Technology (NIST) SP 800-42, and implement corrective actions to mitigate the\n        risks associated with any vulnerabilities identified during periodic scans.\n\n\n3\t   For Application Software Development Change Controls:\n     \xef\xbf\xbd\t Ensure that access to the              and                  program libraries are limited to\n        only the Administrators group.\n     \xef\xbf\xbd\t Fully implement the Change Control and Configuration Management SOP into the FLETC\n        environment.\n     \xef\xbf\xbd\t Continue with the projected plan for decommissioning the                  application.\n     \xef\xbf\xbd\t Finalize and implement a SDLC methodology guide for               and ensure that security\n        planning has been incorporated throughout the life cycle.\n     \xef\xbf\xbd\t Ensure that the SDLC methodology is promulgated to all personnel involved in the design,\n        development, and implementation process of the SDLC methodology.\n\n4\t    For service continuity:\n     \xef\xbf\xbd\t Consistently apply the new CIO Backup SOP and periodically test the                  server lever\n         and Oracle database backups at least annually in compliance with DHS Information Technology\n         Security Program Publication 4300A.\n     \xef\xbf\xbd\t Continue with the projected plan for decommissioning the                        application.\n     \xef\xbf\xbd\t Ensure that the results of the            contingency plan test are reflected in the most recent\n         application contingency plan.\n\n5\t    System Software:\n     \xef\xbf\xbd\t Enable audit logging over the installation of                  system and ensure that logs are\n         maintained and proactively reviewed by management.\n     \xef\xbf\xbd\t Implement policies and procedures over audit logging of               system software.\n\n6\t    Segregation of Duties:\n     \xef\xbf\xbd\t Evaluate the access rights for all roles within           and separate the duties for the creation\n         and payment of vouchers.\n     \xef\xbf\xbd\t Develop a process to ensure the segregation of duties between the Accountant roles is maintained.\n\n\n                                                     6\n Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                   Department of Homeland Security \n\n                              Federal Law Enforcement Training Center\n\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n\nCause/Effect: The FLETC did not expend the necessary time and resources to correct the\napplication weaknesses due to the impending upgrade in August 2008. In addition, at the time of the\nprior year audit, FLETC had plans to replace Procurement Desktop with the DHS Enterprise-wide\nprocurement system         in August 2008; however, that implementation date was moved to October\n2008. Therefore, the                    weaknesses identified in the prior year were left uncorrected.\n\nReasonable assurance should be provided that financial system user access levels are limited and\nmonitored for appropriateness. The weaknesses identified within FLETC\xe2\x80\x99s access controls increases the\nrisk that employees and contractors may have access to a system that is outside the realm of their job\nresponsibilities. This access could allow a person to intentionally or inadvertently use various functions to\nalter the integrity of executable files and scripts within the financial system.\n\nThe lack of documented configuration management procedures for financial application level bug fixes\nand enhancements could lead to the risk of inadequate documentation for configuration management\nchanges. Without standardized test plans and procedures, programming flaws with an adverse effect on\nFLETC\xe2\x80\x99s operations could go undetected. Documented procedures will maintain consistency in the\nimplementation of established procedures. Also, the configuration and patch management weaknesses\nidentified in previous audits may increase the risk that the confidentiality, integrity, and availability of\nsystem controls and the financial data could be exploited thereby compromising the integrity of financial\ndata used by management and reported in the DHS financial statements.\n\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic\nGovernment Act of 2002, mandates that Federal entities maintain IT security programs in accordance with\nOMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources,\nand various NIST guidelines describe specific essential criteria for maintaining effective general IT\ncontrols.\n\n\nFederal Financial Management Improvement Act (FFMIA) sets forth legislation prescribing policies and\nstandards for executive departments and agencies to follow in developing, operating, evaluating, and\nreporting on financial management systems. The purpose of FFMIA is: (1) to provide for consistency of\naccounting by an agency from one fiscal year to the next, and uniform accounting standards throughout\nthe Federal Government; (2) require Federal financial management systems to support full disclosure of\nFederal financial data, including the full costs of Federal programs and activities; (3) increase the\naccountability and credibility of federal financial management; (4) improve performance, productivity\nand efficiency of Federal Government financial management; and (5) establish financial management\nsystems to support controlling the cost of Federal Government. In closing, for this year\xe2\x80\x99s IT audit we\nassessed the DHS component\xe2\x80\x99s compliance with DHS Sensitive System Policy Directive 4300A.\n\n\n\n\n                                                     7\n Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                  Department of Homeland Security \n\n                             Federal Law Enforcement Training Center\n\n                              Information Technology Management Letter\n                                         September 30, 2008\n\n                               APPLICATION CONTROL FINDING\n\n\n\nDuring FY 2008, we noted the following application control weakness:\n\n\n\xef\xbf\xbd               users were granted inappropriate superuser access during the post-conversion phase.\n\n\nRecommendation: No recommendation will be offered as this weakness was remediated during FY 2008 upon\nnotification by KPMG.\n\n\n                       MANAGEMENT COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from the Director of FLETC. Generally, FLETC\nagreed with all of our findings and recommendations. FLETC has developed a remediation plan to\naddress these findings and recommendations. We have incorporated these comments where appropriate\nand included a copy of the comments at Appendix D.\n\nOIG Response\n\nWe agree with the steps that FLETC management is taking to satisfy these recommendations.\n\n\n\n\n                                                   8\n    Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                              Appendix A\n\n                             Department of Homeland Security \n\n                        Federal Law Enforcement Training Center\n\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n\n\n\n                                    Appendix A\n\nDescription of Key FLETC Financial Systems and IT Infrastructure\nwithin the Scope of the FY 2008 FLETC Financial Statement Audit\n\n\n\n\n                                           9\nInformation Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                           Appendix A\n\n                                 Department of Homeland Security \n\n                            Federal Law Enforcement Training Center\n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n\nBelow is a description of significant FLETC financial management systems and supporting IT\ninfrastructure included in the scope of the FY 2008 Financial Statement Audit engagement.\n\nLocation of Audit: FLETC Headquarters in                     and a FLETC field office in\n\n\nKey Systems Subject to Audit:\n   \xef\xbf\xbd                 FLETC\xe2\x80\x99s core financial management system that processes financial documents\n      generated by various FLETC divisions in support of procurement, payroll, budget and accounting\n      activities. All financial, procurement and budgeting transactions where FLETC is involved are\n      processed by\n\n   \xef\xbf\xbd                            FLETC\xe2\x80\x99s procurement management system, which is used for the tracking\n       of procurement activities at various FLETC locations.                       is a system used to\n       input requisitions for the acquisition of goods and services.                      purpose is to\n       process contractual documents generated by FLETC in support of procurement activities. The\n       system resides on an                        and the front-end of the system is integrated with\n\n\n\n\n                                                 10\n Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                              Appendix B\n\n                             Department of Homeland Security \n\n                        Federal Law Enforcement Training Center\n\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n\n\n\n                                    Appendix B \n\n\n FY2008 Notices of IT Findings and Recommendations \xe2\x80\x93 Federal \n\n              Law Enforcement Training Center\n\n\n\n\n\n                                           11\nInformation Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                           Appendix B\n\n                                  Department of Homeland Security \n\n                             Federal Law Enforcement Training Center\n\n                              Information Technology Management Letter\n                                         September 30, 2008\n\n\n\n\nNotices of Findings and Recommendation \xe2\x80\x93 Definition of Risk Ratings:\n\nThe Notices of Findings and Recommendations (NFR) risk was ranked as High, Medium, and Low**\nbased upon the potential impact that each weakness could have on the DHS component\xe2\x80\x99s information\ntechnology (IT) general control environment and the integrity of the financial data residing on the DHS\ncomponent\xe2\x80\x99s financial systems, and the pervasiveness of the weakness.\n\n**The risk ratings are provided solely to assist management with prioritization of corrective\nactions. The risk ratings have no relationship to the definition, or our classification, of a control\ndeficiency as a material weakness or significant deficiency. The risk ratings, used in this context, are\nnot defined by Government Auditing Standards, issued by the Comptroller General of the United States,\nor the American Institute of Certified Public Accountants (AICPA) Professional Standards, and do not\nnecessarily correlate to a significant deficiency, as defined by the AICPA Standards and reported in our\nIndependent Auditors\xe2\x80\x99 Report on the FLETC consolidated financial statements, dated March 26, 2009.\n\nCorrection of some higher risk findings may help mitigate the severity of lower risk findings, and\npossibly function as a compensating control. In addition, analysis was conducted collectively on all\nNFRs to assess connections between individual NFRs, which when joined together, could lead to a\ncontrol weakness occurring with more likelihood and/or higher impact potential.\n\nHigh Risk**: A control weakness that is more serious in nature affecting a broader range of financial IT\nsystems, or having a more significant impact on the IT general control environment and /or the integrity\nof the financial statements as a whole.\n\nMedium Risk**: A control weakness that is less severe in nature, but in conjunction with other IT\ngeneral control weaknesses identified, may have a significant impact on the IT general control\nenvironment and / or the integrity of the financial statements as a whole.\n\nLow Risk**: A control weakness minimal in impact to the IT general control environment and / or the\nintegrity of the financial statements.\n\n\n\n\n                                                  12\n Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                              Appendix B\n\n                             Department of Homeland Security \n\n                        Federal Law Enforcement Training Center\n\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n\n\n\n             Federal Law Enforcement Training Center \n\n                   FY2008 Information Technology \n\n          Notices of Findings and Recommendations \xe2\x80\x93 Detail \n\n\n\n\n\n                                           13\nInformation Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                                                    Appendix B\n\n                                                   Department of Homeland Security \n\n                                              Federal Law Enforcement Training Center\n\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                Department of Homeland Security\n\n                                                              FLETC\n\n                                                 FY2008 Information Technology \n\n                                        Notices of Findings and Recommendations \xe2\x80\x93 Detail \n\n\n\n                                                                                                                                            Risk\nNFR #                       Condition                                     Recommendation                       New Issue   Repeat Issue\n                                                                                                                                           Rating*\nFLETC\xc2\xad    FLETC finalized and approved the Financial       We recommend that FLETC Ensure that access                           X          Medium\n IT-08\xc2\xad   Management         System       Configuration    to the            program libraries is limited to\n   01     Management Standard Operating Procedures,        only the Administrators group.\n          which detail testing procedures. This prior\n          year condition will be reissued as the\n          weakness has been in place for the majority of\n          the fiscal year.\n\n          The access group, \xe2\x80\x9c      \\                 has\n          modify, read, execute, and write access to the\n                      application program libraries. We\n          determined that this gives all FLETC domain\n          level users modify, read, execute, and write\n          access to the             application program\n          libraries.\n\n\n\n\n                                                                    14\n               Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                                                     Appendix B\n\n                                                   Department of Homeland Security\n                                              Federal Law Enforcement Training Center\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                                                                                                             Risk\nNFR #                       Condition                                      Recommendation                       New Issue   Repeat Issue\n                                                                                                                                            Rating*\nFLETC\xc2\xad    FLETC finalized and approved the Financial        \xef\xbf\xbd\t   Continue with the projected plan for                            X          Medium\n IT-08\xc2\xad   Management         System       Configuration          decommissioning the\n   02     Management Standard Operating Procedures,              application.     Develop and implement\n          which detail testing procedures. This prior            policies and procedures over the\n          year condition will be reissued as the                 configuration management process for\n          weakness has been in place for the majority of                application level changes;\n          the fiscal year.\n                                                            \xef\xbf\xbd\t   Ensure that access to the\n          Due to the decommissioning of the                              program libraries is limited to only\n          application, we learned that FLETC has not             the Administrators group.\n          developed policies and procedures for\n                                        bug fixes and\n          enhancements. This prior year condition will\n          be reissued as the weakness has been in place\n          for the majority of the fiscal year.\n\n          All    FLETC       domain      level    users\n          inappropriately have modify, read, execute,\n          and write access to the\n          support files.\nFLETC\xc2\xad    The installation of                   system      We      recommend       that    FLETC,      upon                     X          Medium\n IT-08\xc2\xad   software is not currently logged or reviewed      implementation of the        system, enable audit\n   03\n    by FLETC management.                              logging over the installation of\n                                                            system software and ensure that logs are\n                                                            maintained and proactively reviewed by\n                                                            management.\nFLETC\xc2\xad    The SDLC for              is currently in draft   1\t Finalize and implement a SDLC                                     X          Medium\n IT-08\xc2\xad   form.                                                 methodology guide for                FLETC\n   04                                                           Directive and FLETC Manual. Ensure that\n                                                                security planning has been incorporated\n                                                                throughout the life cycle;\n\n                                                            2\t   Ensure that the SDLC methodology is\n                                                                 promulgated to all personnel involved in the\n\n                                                                      15\n               Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                   Department of Homeland Security\n                                              Federal Law Enforcement Training Center\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                                                                                                                Risk\nNFR #                       Condition                                       Recommendation                         New Issue   Repeat Issue\n                                                                                                                                               Rating*\n                                                                 design, development, and implementation\n                                                                 process of the SDLC methodology.\nFLETC-    We determined that FLETC has begun to              Consistently apply the new CIO Backup SOP                              X          Medium\n IT-08\xc2\xad   implement corrective actions to address the        and periodically test the             server level\n\n   05\n    prior year finding; however we learned that        and                   backups at least annually in\n\n          FLETC \n              server level and              compliance with the DHS Sensitive System\n\n                   backups are not periodically tested. \n    Policy Directive 4300A.\n          Additionally, we noted that procedures or a\n          testing schedule are not in place for\n                      server level and\n          backups.\nFLETC-    The               contingency plan has not      \xef\xbf\xbd      Perform     corrective action over the                             X          Medium\n IT-08\xc2\xad   been fully tested. We determine that the                            Contingency Plan test results \n\n   06\n    recovery and resumption procedures were not            and update the plan accordingly. \n\n          tested during the table-top test of the \n \xef\xbf\xbd            Perform a test over the\n                      contingency plan.                          Contingency Plan, covering all critical\n                                                                 phases of the plan, on an annual basis.\nFLETC-    The FLETC Computer Security Operations             No recommendation will be offered as the                               X          Medium\n IT-08\xc2\xad   Center and Computer Security Incident              condition was mitigated during the fiscal year \n\n   07\n    Response Capability SOP, is currently in draft\n          form. Additionally, we noted that incidents\n          are not tracked from inception to resolution in\n          an incident response management system.\nFLETC-    We noted that incompatible duties over             Continue with the projected            plan    for                     X            Low\n IT-08\xc2\xad                          have not been identified    decommissioning the \n\n   08\n    and that the                       administrator   application. \n\n          is no longer a procurement approver. However,\n\n          policies and procedures have not been              \n\n          developed to segregate incompatible duties. \n\n\n\n\n\n                                                                      16\n               Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                                                    Appendix B\n\n                                                    Department of Homeland Security \n\n                                               Federal Law Enforcement Training Center\n\n                                                Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                            Risk\nNFR #                        Condition                                      Recommendation                     New Issue   Repeat Issue\n                                                                                                                                           Rating*\nFLETC\xc2\xad    We determined that the procedures for granting      \xef\xbf\xbd   Document access procedures within the                         X           Low\n IT-08\xc2\xad   access to the Telecom Room have not been                Telecom Room Access SOP, including the\n   09     documented and no user authorization form is            use of a user authorization form;\n          used and maintained for access requests.            \xef\xbf\xbd   Update the Telecom Room Access SOP to\n                                                                  include access granting procedures as well\n          We noted that no documented procedures on re\xc2\xad           as re-entry procedures, and;\n          entry into the facility after an emergency exist.\n                                                              \xef\xbf\xbd   Perform training for Telecom Room staff\n          FLETC also advised that all personnel on the\n                                                                  and regular visitors over emergency\n          Telecom Room access listing and regular\n                                                                  procedures pertaining, but not limited to\n          visitors to the Telecom Room are provided fire\n                                                                  fire, water, and alarm procedures.\n          suppression training. However, no supporting\n                                                                  Additionally, formalize this training by\n          documentation was provided to support this\n                                                                  retaining documentation that all staff has\n          effort.\n                                                                  completed the training.\n\n\n\n\n                                                                      17\n               Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                                                   Appendix B\n\n                                                    Department of Homeland Security \n\n                                               Federal Law Enforcement Training Center\n\n                                                Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                           Risk\nNFR #                        Condition                                    Recommendation                      New Issue   Repeat Issue\n                                                                                                                                          Rating*\nFLETC\xc2\xad    We found that FLETC Manual (FM) 4300:             \xef\xbf\xbd   Continue with their projected plan for                         X          Medium\n IT-08\xc2\xad   Information Technology System Security                decommissioning the\n   10     Program and Policy, which establishes the             application.    Additionally, develop and\n          policies to be followed when an employee or           implement      procedures    over   access\n          contractor is separated or terminated, is             authorizations for\n          currently in draft form.          Additionally,\n                                     does not require       \xef\xbf\xbd   Develop and implement procedures to\n          passwords to contain a combination of upper           periodically review the list of user\n          and lower case letters and special characters.        accounts;\n\n                                                            \xef\xbf\xbd   Finalize and implement FM 4300:\n                                                                Information Technology System Security\n                                                                Program and Policy, requiring the\n                                                                immediate notification of terminated or\n                                                                transferred users with FLETC IT accounts;\n\n                                                            \xef\xbf\xbd   Ensure that the       application requires\n                                                                a password to be a minimum of eight\n                                                                characters in length and contain a\n                                                                combination of alphabetic, numeric, and\n                                                                special characters to be in compliance\n                                                                with the DHS Sensitive System Policy\n                                                                Directive 4300A.\nFLETC\xc2\xad    We determined that the FLETC Directive            No recommendation will be offered as the                           X            Low\n IT-08\xc2\xad   (FD) 4320: IT System Security Awareness           condition was mitigated during the fiscal year.\n   11     and Training is in draft form.\nFLETC\xc2\xad    We determined that FLETC is in the process        We recommend that FLETC finalize and update                        X            Low\n IT-08\xc2\xad   of refining the FD/FM 4300 to be in               FD/FM 4300 based on the most recent version\n   12     accordance with the DHS Sensitive System          of the DHS Sensitive System Policy Directive\n          Policy Directive 4300A.                           4300A and implement the policy, which\n                                                            provides policies and procedures over the\n                                                            authorization and use of mobile code\n                                                            technologies.\n\n                                                                     18\n               Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                     Department of Homeland Security \n\n                                                Federal Law Enforcement Training Center\n\n                                                 Information Technology Management Letter\n                                                            September 30, 2008\n\n                                                                                                                                                Risk\nNFR #                        Condition                                        Recommendation                       New Issue   Repeat Issue\n                                                                                                                                               Rating*\nFLETC\xc2\xad    We determined that FLETC has developed               Finalize and implement \xe2\x80\x9cFM 4300: Information                         X           Low\n IT-08\xc2\xad   policies and procedures to proactively monitor       Technology System Security Program and\n   13     sensitive access to system software utilities        Policy,\xe2\x80\x9d which provides policies and procedures\n          for              in the \xe2\x80\x9cFM 4300: Information        to proactively monitor sensitive access to system\n          Technology System Security Program and               software utilities for\n          Policy.\xe2\x80\x9d However, we noted that this policy is\n          in draft form.\nFLETC\xc2\xad    We determined that FLETC has developed               Finalize and implement \xe2\x80\x9cFM 4300: Information                         X            Low\n IT-08\xc2\xad   policies for restricting access to                   Technology System Security Program and\n   14     system software in the \xe2\x80\x9cFM 4300: Information         Policy,\xe2\x80\x9d which provides policies for restricting\n          Technology System Security Program and               access to           system software;\n          Policy.\xe2\x80\x9d However, we noted that this policy is\n          in draft form.\nFLETC\xc2\xad    We noted that FLETC has developed policies           Finalize and implement the \xe2\x80\x9cFM 4300:                                 X            Low\n IT-08\xc2\xad   for the segregation of duties in the, \xe2\x80\x9cFM 4300:      Information Technology System Security\n   15     Information Technology System Security               Program and Policy,\xe2\x80\x9d which provides policies\n          Program and Policy.\xe2\x80\x9d However, we noted that          for segregation of duties in Momentum.\n          the policy is currently in draft form.\nFLETC\xc2\xad    We noted that FLETC has developed polices for        \xef\xbf\xbd   Continue to finalize and implement the \xe2\x80\x9cFM                       X          Medium\n IT-08\xc2\xad   the use of                                 (             4300: Information Technology System\n   16     technologies,      \xe2\x80\x9cFM      4300:      Information       Security Program and Policy,\xe2\x80\x9d which\n          Technology System Security Program and                   provides policies for the use of VoIP\n          Policy.\xe2\x80\x9d However, we noted that the SOP is               technologies;\n          currently in draft form.                             \xef\xbf\xbd   Conduct a security inspection of the\n                                                                              installations by completing the\n          Additionally, we learned that the security               FLETC         Security Checklist.\n          inspections have not been applied to all VoIP\n          networks, but is planned with the new\n          Certification and Accreditation (C&A)\n          scheduled in 2008.\n\n\n\n\n                                                                        19\n               Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n\n                                                    Department of Homeland Security \n\n                                               Federal Law Enforcement Training Center\n\n                                                Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                              Risk\nNFR #                        Condition                                       Recommendation                      New Issue   Repeat Issue\n                                                                                                                                             Rating*\nFLETC\xc2\xad    During our FY 2008 review, we determined that        No recommendation will be offered since the                        X          Medium\n IT-08\xc2\xad   the FLETC has established a process where            condition was mitigated during the fiscal year.\n   17     background checks and periodic reinvestigations\n          for all new and existing contractors are\n          performed in a timely manner and that\n          supporting documentation be maintained.\n          However, we noted a weakness in that two\n          outstanding users still had access to the FLETC\n          network. As a result, the FLETC responded\n          immediately and removed both users\xe2\x80\x99 access.\n          However, since the risk was present the majority\n          of the fiscal year, this NFR will be reissued\n          without any recommendations\nFLETC\xc2\xad    We noted that FLETC has developed polices for        \xef\xbf\xbd   Finalize and implement \xe2\x80\x9cFM 4300:                               X            Low\n IT-08\xc2\xad   the review of                          audit logs,       Information Technology System Security\n   18     \xe2\x80\x9cFM 4300: Information Technology System                  Program and Policy,\xe2\x80\x9d which provides\n          Security Program and Policy.\xe2\x80\x9d However, we                policies for the review of audit logs;\n          noted that the SOP is currently in draft form.\n          Additionally, we noted that FLETC has                \xef\xbf\xbd   Continue with the decommissioning plan of\n          continued with the decommissioning of the                the                    application.\n                                   application; however it\n          has not been completed.\nFLETC\xc2\xad    In FY 2008, FLETC stated that no progress has        We recommend that FLETC configure the                              X            Low\n IT-08\xc2\xad   been made on this weakness.               FLETC      FLETC domain level inactivity threshold of\n   20     management recommended setting policy to 5           the password protected screensaver to five (5)\n          minutes for all users and then to make               minutes to be in compliance with the DHS\n          exceptions as needed for trainers who need it.       Sensitive System Policy Directive 4300A.\n          FLETC management has submitted an\n          exception waiver to DHS to waiver from the\n          DHS Sensitive System Policy Directive 4300A.\n\n\n\n\n                                                                        20\n               Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                                                         Appendix B\n\n                                                    Department of Homeland Security \n\n                                               Federal Law Enforcement Training Center\n\n                                                Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                                 Risk\nNFR #                        Condition                                        Recommendation                        New Issue   Repeat Issue\n                                                                                                                                                Rating*\nFLETC\xc2\xad    In FY 2008, we noted that FLETC is in the            We recommend that FLETC finalize and                                  X           Low\n IT-08\xc2\xad   process of finalizing and implementing FM            implement FM 4300: Information Technology\n   21     4300: Information Technology System Security         System Security Program and Policy, and\n          Program and Policy. Therefore, since the             promulgate to all necessary users.\n          recommendation has not been fully addressed,\n          NFR FLETC-IT-07-21 will be re-issued.\nFLETC\xc2\xad    FLETC does not capture and maintain user             Continue with the         projected    plan   for                     X            Low\n IT-08\xc2\xad   access violations in                                 decommissioning the\n   22                                                          application.\n          We determined that FLETC has established a\n          process which requires that all\n                   users will only be granted access once\n          the user access form is appropriately completed\n          and subsequently approved by a supervising\n          authority. Since this improvement was not in\n          place for the majority of the fiscal year, the\n          associated weakness will be reissued with no\n          recommendation.\n\n          We also determined that FLETC has made\n          progress over the usage of prior passwords. The\n          new process follows the DHS standard of eight\n          iterations. Since this improvement was not in\n          place for the majority of the fiscal year, the\n          associated weakness will be reissued with no\n          recommendation.\nFLETC\xc2\xad    In FY 2008, we learned that FLETC has not            \xef\xbf\xbd   Perform a recertification of all                                  X            Low\n IT-08\xc2\xad   validated all users for                                            user access and validate the\n   23     Additionally, FLETC has removed users that no            existing                        user access of\n          longer have access, but, this process is not being       individuals who stated they still need\n          performed consistently. Therefore, since the                                    access;\n          finding has not been fully addressed, the NFR        \xef\xbf\xbd   Continue     to      consistently     remove\n          will be re-issued.                                                              user access that is no\n                                                                   longer needed.\n                                                                        21\n               Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                                                  Appendix B\n\n                                                  Department of Homeland Security \n\n                                             Federal Law Enforcement Training Center\n\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                          Risk\nNFR #                       Condition                                     Recommendation                     New Issue   Repeat Issue\n                                                                                                                                         Rating*\nFLETC\xc2\xad    FLETC provided the FLETC Financial                We recommend FLETC ensure that several                            X           Low\n IT-08\xc2\xad   Management System Contingency and                 updated    copies  of   the\n   24     Disaster Recovery Plan, dated June 18, 2008.                            Contingency Plan is\n          However, the contingency plan did not             located at the             site for use by\n          contain evidence to support that the document     contingency staff.\n          is stored offsite.\nFLETC\xc2\xad    During the FY 08 follow-up, we received the       As FLETC has effectively implemented the new                      X            Low\n IT-08\xc2\xad   finalized SOP 4203 IT Systems Maintenance         policies  effective     April   2008,     no\n   25     Management, effective as of April 29, 2008, and   recommendation will be offered.\n          4204 Anti-Virus for Servers, effective as of\n          April 29, 2008. This NFR will be reissued with\n          no recommendation since the condition has\n          existed for the majority of the fiscal year.\nFLETC\xc2\xad    During technical testing, configuration           \xef\xbf\xbd   Implement the corrective actions noted in                     X          Medium\n IT-08\xc2\xad   management weaknesses were identified on              the findings.\n   26     hosts and databases supporting the                \xef\xbf\xbd   Perform periodic scans of the FLETC\n                   System,               and                    network environment, including the\n                    applications.                               financial processing environment, for the\n                                                                identification of vulnerabilities, in\n                                                                accordance with NIST Special Publication\n                                                                (SP) 800-42.\n                                                            \xef\xbf\xbd   Implement corrective actions to mitigate\n                                                                the     risks    associated    with    any\n                                                                vulnerabilities identified during periodic\n                                                                scans.\n\n\n\n\n                                                                     22\n               Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                                                  Appendix B\n\n                                                    Department of Homeland Security\n                                               Federal Law Enforcement Training Center\n                                                Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                          Risk\nNFR #                        Condition                                    Recommendation                     New Issue   Repeat Issue\n                                                                                                                                         Rating*\nFLETC-    During technical testing, patch management        \xef\xbf\xbd\t  Implement the corrective actions noted in                     X          Medium\n IT-08\xc2\xad   weaknesses were identified on hosts and               the findings. \n\n   27\n    databases supporting the\n\n\n\n\n                                                             \t\n                                                            \xef\xbf\xbd Perform periodic scans of the FLETC\n                  and                        application.       network environment, including the\n          The fact that these vendor supplied patches           financial processing environment, for the\n          have not been applied in a timely manner              identification of vulnerabilities, in\n          could allow a remote attacker to gain                 accordance with NIST SP 800-42.\n          unauthorized access on the host or database.\n\n\n\n\n                                                             \t\n                                                            \xef\xbf\xbd Implement corrective actions to mitigate\n                                                                the     risks    associated    with    any\n                                                                vulnerabilities identified during periodic\n                                                                scans.\nFLETC-    In\t FY 2008, we learned that                      Continue with the projected plan for                              X          Medium\n IT-08\xc2\xad              is still in production; however, no    decommissioning the \n\n   29\n    backups are being tested. FLETC management        application\n          stated       that\n          decommissioning is planned for the first quarter\n          of FY 08, however at the time of the audit, has\n          not been completed.\nFLETC-    During FY 2008 testing of controls after No recommendation will be offered since the                  X                        Medium\n IT-08\xc2\xad                   conversion, we determined that weakness was remediated upon notification. \n\n   30\n    four (4) support contractors and an additional\n\n          user account used by the support contractor \n\n          called \xe2\x80\x9cObject CORE admi\xe2\x80\x9d had superuser\n\n          access privileges within \n            Based on \n\n          notification of this weakness, FLETC \n\n          management responded by removing the access\n\n          as of September 24, 2008. Therefore, this \n\n          finding will be issued with no recommendation. \n\n\n\n\n\n                                                                    23\n               Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                                                         Appendix B\n\n                                                         Department of Homeland Security \n\n                                                    Federal Law Enforcement Training Center\n\n                                                     Information Technology Management Letter\n                                                                September 30, 2008\n\n                                                                                                                                                  Risk\n     NFR #                        Condition                                      Recommendation                       New Issue   Repeat Issue\n                                                                                                                                                 Rating*\n     FLETC\xc2\xad    During FY 2008, we noted that the                   We recommend that application system                  X                       Medium\n      IT-08\xc2\xad   application will allow \xe2\x80\x9c3 unsuccessful attempts\xe2\x80\x9d    administrators review security and system-\n        31     before the user will be locked out of the           related event logs on a periodic basis.\n               application. The application will track these\n               security violations into an audit log; however,\n               the FLETC does not perform a periodic review\n               of the log.\n     FLETC\xc2\xad    During FY 2008 testing of controls after            \xef\xbf\xbd   Evaluate the access rights for all roles          X                       Medium\n      IT-08\xc2\xad                  conversion, we determined that           within               and separate the duties\n        32     the segregation of duties controls were not             for the creation and payment of vouchers.\n               effective. Specifically, we found that the          \xef\xbf\xbd   Develop a process to ensure the segregation\n               \xe2\x80\x98Accountant-1\xe2\x80\x99 role has the ability to create and       of duties between the Accountant roles is\n               approve payment vouchers within                         maintained.\n\n\n\n\n* Risk ratings are only intended to assist management in prioritizing corrective actions. Risk ratings in this context do not correlate to\ndefinitions of control deficiencies as identified by the AICPA.\n\n\n\n\n                                                                            24\n                    Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                Appendix C\n\n                             Department of Homeland Security \n\n                        Federal Law Enforcement Training Center\n\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n\n\n\n                                    Appendix C \n\n\nStatus of Prior Year Notices of Findings and Recommendations And \n\n                          Comparison To \n\n     Current Year Notices of Findings and Recommendations \n\n\n\n\n\n                                           25\nInformation Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                        Appendix C\n\n                                      Department of Homeland Security\n                                 Federal Law Enforcement Training Center\n                                  Information Technology Management Letter\n                                             September 30, 2008\n\n\n\n\n                                                                                                   Disposition\nComponent    NFR #                                Description                                  Closed     Repeat\n\n FLETC      FLETC\xc2\xad The Change Control and Configuration Management SOP for all                          FLETC-IT-\n            IT-07-01 preventative maintenance and patch management over               is                  08-01\n                     currently in draft form. Additionally, the Change Control and\n                     Configuration Management SOP does not detail testing procedures.\n                     Documented policies and procedures for                 bug fixes and\n                     enhancements do not exist, including a description for the emergency\n                     change process.\n                     The access group, \xe2\x80\x9c     \\               has modify, read, execute, and\n                     write access to the               application program libraries. We\n                     determined that this gives all FLETC domain level users modify, read,\n                     execute, and write access to the                 application program\n                     libraries.\n FLETC      FLETC\xc2\xad The Change Control and Configuration Management SOP for all                          FLETC-IT\xc2\xad\n            IT-07-02 preventative maintenance and patch management over                                   08-02 \n\n                              is currently in draft form. Additionally, the Change Control\n                     and Configuration Management SOP does not detail testing\n                     procedures.\n                     Documented policies and procedures for                          bug\n                     fixes and enhancements do not exist, including a description for the\n                     emergency change process.\n                     All FLETC domain level users inappropriately have modify, read,\n                     execute, and write access to the               support files.\n FLETC      FLETC\xc2\xad The installation of          system software is not currently logged                 FLETC-IT\xc2\xad\n            IT-07-03 or reviewed by FLETC management.                                                     08-03\n FLETC      FLETC\xc2\xad The SDLC for                is currently in draft form.                              FLETC-IT\xc2\xad\n            IT-07-04                                                                                      08-04\n FLETC\n     FLETC\xc2\xad                 server level and \n           database backups are not\n               FLETC-IT\xc2\xad\n            IT-07-05 periodically tested.                                                                 08-05\n                     Procedures or a testing schedule are not in place for           server\n                     level and        database backups.\n FLETC\n     FLETC- The \n                contingency plan has not been fully tested. We\n                 FLETC-IT\xc2\xad\n            IT-07-06 determine that the recovery and resumption procedures were not tested                08-06\n                     during the table-top test of the         contingency plan.\n FLETC\n     FLETC- FLETC Computer Security Operations Center and Computer Security\n                     FLETC-IT\xc2\xad\n            IT-07-07 Incident Response Capability SOP, is currently in draft form.                        08-07\n                     We noted that incidents are not tracked from inception to resolution in\n                     an incident response management system.\n FLETC       FLETC- We noted that incompatible duties over                         have not             FLETC-IT\xc2\xad\n\n                                                         26\n   Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                         Appendix C\n\n                                      Department of Homeland Security \n\n                                 Federal Law Enforcement Training Center\n\n                                  Information Technology Management Letter \n\n                                             September 30, 2008\n\n                                                                                                    Disposition\nComponent   NFR #                                 Description                                   Closed     Repeat\n\n            IT-07-08 been identified nor have policies and procedures been developed to                    08-08\n                     segregate incompatible duties.\n FLETC      FLETC\xc2\xad We determined that FLETC has documented procedures entitled,                          FLETC-IT\xc2\xad\n            IT-07-09 \xe2\x80\x9cTelecom Room Access Standard Operating Procedures\xe2\x80\x9d, which are                        08-09 \n\n                     currently in draft form.\n                     All personnel on the Telecom Room access listing and regular visitors\n                     to the Telecom Room will have fire suppression training provided.\n                     However, FLETC failed to provide the fire suppression training\n                     materials or a listing of individuals who attended the training.\n FLETC      FLETC\xc2\xad Procedures over access authorizations and the periodic review of user                 FLETC-IT\xc2\xad\n            IT-07-10 accounts for                    do not exist.                                         08-10 \n\n                     FLETC Manual (FM) 4300: Information Technology System Security\n                     Program and Policy establishes the policies to be followed when an\n                     employee or contractor is separated or terminated, which is currently in\n                     draft form.\n                     We found that termination SOPs for                    and\n                            are currently under development.\n                                            does not require passwords to contain a\n                     combination of upper and lower case letters and special characters.\n FLETC\n     FLETC- We determined that the FLETC Directive (FD) 43220: IT System\n                         FLETC-IT\xc2\xad\n            IT-07-11 Security Awareness and Training is in draft form.                                     08-11\n FLETC\n     FLETC- We determined that FLETC has developed policies and procedures\n                       FLETC-IT\xc2\xad\n            IT-07-12 over the authorization and use of mobile code technologies in \xe2\x80\x9cFM                     08-12\n                     4300: Information Technology System Security Program and Policy.\xe2\x80\x9d\n                     However, we noted that this policy is in draft form.\n FLETC      FLETC- We determined that FLETC has developed policies and procedures to                     FLETC-IT\xc2\xad\n            IT-07-13 proactively monitor sensitive access to system software utilities for                 08-13\n                     Momentum in the \xe2\x80\x9cFM 4300: Information Technology System Security\n                     Program and Policy.\xe2\x80\x9d However, we noted that this policy is in draft\n                     form.\n FLETC      FLETC\xc2\xad We determined that FLETC has developed policies for restricting                       FLETC-IT\xc2\xad\n            IT-07-14 access to                system software in the \xe2\x80\x9cFM 4300: Information                 08-14 \n\n                     Technology System Security Program and Policy.\xe2\x80\x9d However, we\n                     noted that this policy is in draft form.\n                     We noted that FLETC has developed procedures for restricting access\n                     to privileged and sensitive access including                 system\n                     software in the Logical Access Controls - SOP, which is currently in\n                     draft form.\n FLETC      FLETC- We noted that FLETC has developed policies for the segregation of                     FLETC-IT\xc2\xad\n            IT-07-15 duties in the, \xe2\x80\x9cFM 4300: Information Technology System Security                       08-15\n                     Program and Policy.\xe2\x80\x9d However, we noted that the policy is currently in\n\n                                                         27\n\n   Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                         Appendix C\n\n                                        Department of Homeland Security\n                                   Federal Law Enforcement Training Center\n                                    Information Technology Management Letter\n                                               September 30, 2008\n\n                                                                                                    Disposition\nComponent   NFR #                                 Description                                   Closed     Repeat\n\n                     draft form.\n                     We noted that FLETC has developed procedures for the segregation of\n                     duties in the, \xe2\x80\x9cLogical Access Controls \xe2\x80\x93 SOP\xe2\x80\x9d, which is currently in\n                     draft form.\n FLETC      FLETC\xc2\xad We noted that FLETC has developed polices for the use of VOIP                         FLETC-IT\xc2\xad\n            IT-07-16 technologies, \xe2\x80\x9cFM 4300: Information Technology System Security                        08-16 \n\n                     Program and Policy.\xe2\x80\x9d However, we noted that the SOP is currently in\n                     draft form.\n                     The         hardening guide and SOP are currently in development and\n                     not finalized.\n                     We determined that FLETC has not completed a security assessment of\n                     the            site\xe2\x80\x99s    installation.\n FLETC      FLETC\xc2\xad We sampled thirty (30) IT contractors for evidence of background                      FLETC-IT\xc2\xad\n            IT-07-17 investigations and noted the following:                                               08-17 \n\n                     \xef\xbf\xbd\t Nine (9) IT contractors did not have evidence that a background\n                         investigation was initiated or completed; and\n                     \xef\xbf\xbd\t For twelve (12) IT contractors, we were not able to validate if\n                         background investigations were initiated or adjudicated, due to a\n                         lack of documentation or poor documentation of background\n                         investigations initiated.\n FLETC      FLETC\xc2\xad We determined that FLETC has developed polices for the review of                      FLETC-IT\xc2\xad\n            IT-07-18                           audit logs in the, \xe2\x80\x9cFM 4300: Information                    08-18 \n\n                     Technology System Security Program and Policy.\xe2\x80\x9d However, we\n                     noted that the policy is currently in draft form.\n                     Procedures around the detailed review of audit records do not exist.\n                     Audit logs are not maintained for                                on an\n                     application level.\n FLETC\n     FLETC- We noted that the FLETC \n         is configured to trigger a domain level\n            FLETC-IT\xc2\xad\n            IT-07-20 password protected screensaver after twenty (20) minutes of inactivity                08-20\n                     on user workstations, which is not in compliance with the DHS\n                     Sensitive System Policy Directive 4300A.\n FLETC      FLETC\xc2\xad We noted that FM 4300: Information Technology System Security                         FLETC-IT\xc2\xad\n            IT-07-21 Program and Policy documents policies for the following areas:                        08-21 \n\n                     \xef\xbf\xbd\t Use of cryptographic tools over the FLETC\n                     \xef\xbf\xbd\t Use of wireless technologies; and\n                     \xef\xbf\xbd   Data sharing with external parties outside of FLETC.\n                     However, we noted that the policy is currently in draft form.\n\n\n\n                                                         28\n\n   Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                         Appendix C\n\n                                      Department of Homeland Security \n\n                                 Federal Law Enforcement Training Center\n\n                                  Information Technology Management Letter\n                                             September 30, 2008\n\n                                                                                                    Disposition\nComponent   NFR #                                 Description                                   Closed     Repeat\n\n FLETC      FLETC\xc2\xad The following                           access control weaknesses were                FLETC-IT\xc2\xad\n            IT-07-22 identified:                                                                           08-22\n                     \xef\xbf\xbd   User access violation information is not maintained on an\n                         application level;\n                     \xef\xbf\xbd   All new users (a total of eight) requesting access to\n                                 failed to have an authorized access request form.\n                     \xef\xbf\xbd   Password parameters have been configured to permit users to reuse\n                         prior passwords after six (6) iterations; and\n                     \xef\xbf\xbd   The                          Administrator is not informed of\n                         separated employees via Human Resources (HR), thus, terminated\n                         employees access is not removed in a timely manner.\n                     Upon notification of this issue, FLETC took corrective action and the\n                                           Administrator is now on the listing of individuals\n                     who are informed when an employee is separated.\n FLETC      FLETC\xc2\xad The following                           access control weaknesses were                FLETC-IT\xc2\xad\n            IT-07-23 identified:                                                                           08-23\n                     \xef\xbf\xbd   Lack of documented procedures to recertify users logical access on\n                         a yearly basis; and\n                     \xef\xbf\xbd   Recertification of                         users is not performed\n                         over all users.\n FLETC      FLETC\xc2\xad We noted that copies of the                 /                                         FLETC-IT\xc2\xad\n            IT-07-24 Contingency Plan are not securely stored off-site at the alternate                    07-24\n                     processing facility.\n FLETC      FLETC\xc2\xad The following               and                         service continuity            FLETC-IT\xc2\xad\n            IT-07-25 weaknesses were identified:                                                           08-25\n                     \xef\xbf\xbd   FLETC SOP - Anti-Virus Software for Servers is not finalized; and\n                     \xef\xbf\xbd   FLETC SOP - System Maintenance Policy and Procedures is not\n                         finalized.\n FLETC      FLETC\xc2\xad During technical testing, configuration management weaknesses were                    FLETC-IT\xc2\xad\n            IT-07-26 identified on hosts and databases supporting the                                      08-26\n                                        and                     applications.\n FLETC      FLETC\xc2\xad During technical testing, patch management weaknesses were                            FLETC-IT\xc2\xad\n            IT-07-27 identified on hosts and databases supporting the                                      08-27\n                              and              Desktop application. The fact that these\n                     vendor supplied patches have not been applied in a timely manner\n                     could allow a remote attacker to gain unauthorized access on the host\n                     or database.\n\n\n\n                                                         29\n   Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                                                                                                          Appendix C\n\n                                       Department of Homeland Security \n\n                                  Federal Law Enforcement Training Center\n\n                                   Information Technology Management Letter\n                                              September 30, 2008\n\n                                                                                                      Disposition\nComponent    NFR #                                 Description                                  Closed       Repeat\n\n FLETC      FLETC- We noted that                   and                          server backup     X\n            IT-07-28 tape rotation logs are not consistently maintained.\n FLETC      FLETC- We noted that                             server level and        database             FLET-IT-08\xc2\xad\n            IT-07-29 backups are not periodically tested.                                                     29\n                      We noted that procedures or a testing schedule are not in place for\n                                          server level and      database backups.\n\n\n\n\n                                                            30\n\n   Information Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                             Department of Homeland Security \n\n                        Federal Law Enforcement Training Center\n\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n\n\n\n                                     Appendix D \n\n\n                             Management Comments \n\n\n\n\n\n                                           31\n\nInformation Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                             Department of Homeland Security \n\n                        Federal Law Enforcement Training Center\n\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n\n\n\n                                           32\n\nInformation Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0c                             Department of Homeland Security \n\n                        Federal Law Enforcement Training Center\n\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n                 Report Distribution\n\n                 Department of Homeland Security\n\n                 Secretary\n                 Deputy Secretary\n                 Chief of Staff for Operations\n                 Chief of Staff for Policy\n                 Acting General Counsel\n                 Executive Secretariat\n                 Under Secretary, Management\n                 Director, FLETC\n                 DHS Chief Information Officer\n                 DHS Chief Financial Officer\n                 Chief Financial Officer, FLETC\n                 Chief Information Officer, FLETC\n                 Chief Information Security Officer\n                 Assistant Secretary, Policy\n                 Assistant Secretary, Public Affairs\n                 Assistant Secretary, Legislative Affairs\n                 DHS GAO OIG Audit Liaison\n                 Chief Information Officer, Audit Liaison\n                 FLETC Audit Liaison\n\n                 Office of Management and Budget\n\n                 Chief, Homeland Security Branch\n                 DHS OIG Budget Examiner\n\n                 Congress\n\n                 Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\n                                           33\n\nInformation Technology Management Letter for the FY 2008 FLETC Financial Statement Audit\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'